174707 – audit is missing fs object identity info when removing some xattrs

Bug 174707 - audit is missing fs object identity info when removing some xattrs

Summary: audit is missing fs object identity info when removing some xattrs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Alexander Viro
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:	245197
Blocks:	175213 RHEL4U4Audit xattrs-tracker 245198
TreeView+	depends on / blocked

Reported:	2005-12-01 16:28 UTC by Amy Griffis
Modified:	2007-11-30 22:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:	RHBA-2007-0791
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-15 16:13:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0791	0	normal	SHIPPED_LIVE	Updated kernel packages available for Red Hat Enterprise Linux 4 Update 6	2007-11-14 18:25:55 UTC

Description Amy Griffis 2005-12-01 16:28:14 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
When removing the "trusted.md5sum" xattr, audit does not produce FS_WATCH records for a watched file.  Since audit does not produce PATH records for fremovexattr, this results in no filesystem object identity information for this syscall.

Version-Release number of selected component (if applicable):
kernel-2.6.9-22.0.1.EL.audit.1 (rhel4 u2 kernel + 173500  fix)

How reproducible:
Always

Steps to Reproduce:
1. enable syscall auditing
2. auditctl -a entry,always -S fremovexattr
3. auditctl -w /tmp/foo -k TMP_FOO
4. fd = open("/tmp/foo", O_RDWR, 0);
5. fsetxattr(fd, "trusted.md5sum", "0", sizeof("0"), XATTR_CREATE)
6. fremovexattr(fd, "trusted.md5sum");

Actual Results:  Audit log from x86_64 architecture:

type=SYSCALL msg=audit(1133453735.714:3811): arch=c000003e syscall=2 success=yes exit=3 a0=7fbffffc86 a1=2 a2=0 a3=7fbffff901 items=1 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133453735.714:3811): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=6
type=FS_INODE msg=audit(1133453735.714:3811): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00
type=CWD msg=audit(1133453735.714:3811):  cwd="/home/eal"
type=PATH msg=audit(1133453735.714:3811): name="/tmp/foo" flags=101  inode=213048 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00

type=SYSCALL msg=audit(1133453735.714:3812): arch=c000003e syscall=190 success=yes exit=0 a0=3 a1=4008f2 a2=4008f0 a3=2 items=0 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133453735.714:3812): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=2
type=FS_INODE msg=audit(1133453735.714:3812): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00

type=SYSCALL msg=audit(1133453735.714:3813): arch=c000003e syscall=199 success=yes exit=0 a0=3 a1=4008f2 a2=4008f0 a3=7fbffff901 items=0 pid=6958 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"

Expected Results:  The same operation using the xattr "user.mime_type" with value "text/plain" produces the following records for fremovexattr:

type=SYSCALL msg=audit(1133454070.709:3823): arch=c000003e syscall=199 success=yes exit=0 a0=3 a1=4008fb a2=4008f0 a3=7fbffff901 items=0 pid=7018 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="t_fremovexattr" exe="/home/eal/t_fremovexattr"
type=FS_WATCH msg=audit(1133454070.709:3823): watch_inode=213048 watch="foo" filterkey=TMP_FOO perm=0 perm_mask=2
type=FS_INODE msg=audit(1133454070.709:3823): inode=213048 inode_uid=0 inode_gid=0 inode_dev=fd:00 inode_rdev=00:00

Additional info:

Comment 1 Andrius Benokraitis 2005-12-07 16:46:02 UTC

Hi Amy, did you have a patch proposed for this, or is this just a notification
of the bug? How severe is this as well? Thanks!

Comment 2 Linda Knippers 2005-12-07 18:46:35 UTC

Hi Andrius, 
We don't have a proposed patch, its just a bug notification.
While it is a problem that ought to be fixed at some point, it
isn't critical for our purposes right now.

Comment 4 Daniel Riek 2006-11-21 19:56:16 UTC

Not planned for 4.5. Moving to 4.6

Comment 5 RHEL Program Management 2007-05-09 11:04:01 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 7 RHEL Program Management 2007-06-11 22:41:51 UTC

This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.

Comment 8 Jason Baron 2007-06-19 14:06:06 UTC

committed in stream U6 build 55.9. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/

Comment 13 errata-xmlrpc 2007-11-15 16:13:12 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0791.html

Note You need to log in before you can comment on or make changes to this bug.